[squid-users] Squid Websocket Issue

Hardik Dangar hardikdangar+squid at gmail.com
Mon Jan 2 16:49:56 UTC 2017 

Hey Eliezer,

The issue was with whatsapp web socket was not working, here is detailed
information about issue
------------

Here is some information about my squid version,

Squid Cache: Version 3.5.22-20161115-r14113
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid'
'--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-openssl' '--enable-ssl-crtd' '--enable-inline'
'--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-follow-x-forwarded-for'
'--enable-url-rewrite-helpers=fake' '--enable-ecap'

My squid config file is located at, http://pastebin.com/raw/LvDxEF4x

Now the issue is whenever someone requests a page which contains web socket
requests response is always bad request.
Here is an example,

Request URL:wss://w4.web.whatsapp.com/ws
Request Method:GET
Status Code:400 Bad Request

Response Headers
#################
Connection:keep-alive
Date:Sat, 17 Dec 2016 09:05:36 GMT
Transfer-Encoding:chunked
X-Cache:MISS from Proxy

Request Headers
#################
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:w4.web.whatsapp.com
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/55.0.2883.75 Safari/537.36


My question is how we can work with web socket requests in squid or if not
by pass them squid. My squid instance is in interception mode and requests
are intercepted at instance via iptables and forwarded to squid using below
rules,

SQUIDIP=192.168.1.1

# your proxy listening port
SQUIDHTTPPORT=3128
SQUIDHTTPSPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
$SQUIDHTTPPORT

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
$SQUIDHTTPSPORT

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPPORT -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPSPORT -j DROP


If anyone can help me with this it would be really awesome. Thanks for your
support.

----------------------------------------------------------

*Solution to above problem was,*

acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all

[ above is a feature of whatsapp which allows you to connect to
web.whatsapp.com from browser]


now what happens at request level is following,

Request URL:wss://w8.web.whatsapp.com/ws
Request Method:GET
Status Code:101 Switching Protocols

----------------------------------

Response Headers

Connection:Upgrade
Sec-WebSocket-Accept:Z6CC+QVdvB0cCHPbJAQMaHKL2uQ=
Upgrade:websocket

----------------------------------
Request Headers

Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:w8.web.whatsapp.com
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:mbCFLN/Q1KMt58t6DoQI9Q==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/55.0.2883.75 Safari/537.36


So basically websockets are connected as normal https request( i think this
is a very nature of Web sockets and define somewhere in web socket
standards).


Now the problem statement is,

ssl_bump bump !serverIsws all

If i remove !serverIsws then it stops working. as per alex it shoudn't
happen and its a bug most probably.


On Mon, Jan 2, 2017 at 7:17 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Can we start from 0.
> Currently when squid knows about the Connection being a one with websocket
> support it is already too late to do anything about this specific
> connection.
> The only option for now is to identify these using some ICAP service that
> will for example redirect the request after a small delay that will add the
> destination domain ip address to a bypass list.
> It’s not trivial but I have seen such implementation on ssl bump.
>
> Can you please redirect me to the specific email with the bug details?
>
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Hardik Dangar
> Sent: Monday, January 2, 2017 8:47 AM
> To: Alex Rousskov <rousskov at measurement-factory.com>
> Cc: Squid Users <squid-users at lists.squid-cache.org>
> Subject: Re: [squid-users] Squid Websocket Issue
>
> @amos or anyone else from dev team
>
> Can you confirm this is intentional behavior or bug ?
>
> On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:
> rousskov at measurement-factory.com> wrote:
> On 12/27/2016 04:50 AM, Hardik Dangar wrote:
>
> > If i remove !serverIsws somehow websockets will not work.
>
> Then there is a bug somewhere AFAICT. It is your call whether to find
> out what that bug is [while continuing to use a potentially dangerous
> workaround].
>
> Alex.
>
>
> > On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote:
> >
> >     On 12/20/2016 02:42 AM, Hardik Dangar wrote:
> >     > Following changes in config works and whatsapp starts working,
> >     >
> >     > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
> >     >
> >     > acl step1 at_step SslBump1
> >     > ssl_bump peek step1
> >     > ssl_bump splice serverIsws
> >     > ssl_bump bump !serverIsws all
> >
> >     You do not need the "!serverIsws" part because if serverIsws matches,
> >     then the splice rule wins, and Squid does not reach the bump rule.
> This
> >     configuration is sufficient:
> >
> >       ssl_bump peek step1
> >       ssl_bump splice serverIsws
> >       ssl_bump bump all
> >
> >     In theory, adding "!serverIsws" does not hurt. However, negating
> complex
> >     ACLs is tricky/dangerous and should be avoided when possible.
> >
> >     Alex.
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170102/21cd449c/attachment.html>

More information about the squid-users mailing list